This blog represents most of the newspaper columns (appearing in various Colorado Community Newspapers and Yourhub.com) written by me, James LaRue, during the time in which I was the director of the Douglas County Libraries in Douglas County, Colorado. (Some columns are missing, due to my own filing errors.) This blog covers the time period from April 11, 1990 to January 12, 2012.

Unless I say so, the views expressed here are mine and mine alone. They may be quoted elsewhere, so long as you give attribution. The dates are (at least according my records) the dates of publication in one of the above print newspapers.

The blog archive (web view) is in chronological order. The display of entries, below, seems to be in reverse order, new to old.

All of the mistakes are of course my own responsibility.

Wednesday, August 16, 1995

August 16, 1995 - hackers and the law

After the Douglas Public Library District computer got "hacked" (see last week's column for details) I reported the incident to the local County Sheriff's Department. Together, an officer and I reviewed the Colorado Computer Crimes law.

To my astonishment, I discovered that no crime had been committed, or at least none that could be prosecuted.

Remember that we traced our hacker back to California. Until an organization or person suffers in excess of $1,500 in real property damages, breaking into a computer system is a misdemeanor in Colorado. Misdemeanors can't be prosecuted across state lines.

Imagine that somebody steps into your house through an open window. They find your housekeys, make copies of them, toss some of their stuff in one of your closets, then walk out the front door. What have you lost, exactly?

Nothing but your peace of mind.

So I've concentrated on the computer equivalent of cleaning my closets, securing the windows, and changing the locks.

I've also been doing some reading. Computer crime is on the rise. According to some surveys, hacking has increased by 77% between 1993 and 1994. Not only that, it is estimated that most hackers have only a 3% chance of getting caught.

Why do so many hackers get away with it? There are two explanations.

The first is the sheer volume of Internet traffic. Guy Cook, CEO of Colorado SuperNet, Inc., said in a recent interview with the "Denver Business Journal" that it wouldn't be difficult for a particular computer scam -- even something like fencing stolen goods -- "to slip through unnoticed among the libraries of information and the more than 1 million e-mail messages that move through [SuperNet] each month."

The second explanation is the lack of crime-fighting resources. Although there have been several high-profile successes, even the FBI (whom I also called about our hack-in) has trouble ramping up to deal with "virtual" criminals. Hackers may be operating out of the terminal in the room next to you, or a cellular phone and laptop in Washington State. A problem like that requires enormous technical expertise and available staff -- both of which are expensive.
Things may be changing. The FBI is toughening its stance. Clinton's staff is working on a federal computer crime bill. And people are going to jail for hacking, some for as long as 55 years for a single incident.

But according to computer security expert, Terence McManus (in a February, 1995 piece in the journal "Asian Business [Hong Kong])," "The only way of protecting a computer system is not to link it to the outside world at all."

Well, for a day or two, I thought about it. Why not pull the Internet plug? Would it be so bad if we could only look up stuff in our own catalog?

But both our patrons and our staff find it a great convenience to browse through the library catalogs of our neighbors. Many times, we are able to quickly locate information that simply isn't readily available any other way. And as the Internet begins to carry even more content, our connection to it will be even more important to the library's daily operations.

We can't go back.

What can YOU learn from our experience?

Mainly, be prepared. The literature suggests that hackers usually break into systems in one of the following ways:

(1) impersonating an authorized employee or vendor agent to get information or physical access. Don't be too friendly over the phone. Ask for a phone number, a full name. Then check the number and call them back. In person, ask for ID, and check it with your vendor.

(2) taking advantage of the defaults shipped with the system and its software. This was our weak spot. Change your passwords regularly, and get rid of any accounts you don't use. A special security audit isn't a bad idea, either.

(3) convincing system hot line support personnel to give out critical information or make system changes -- such as resetting a user's password. Make sure your vendors know who is authorized to deal with them.

All of this may seem like a lot of trouble. That's because it is. Once you open Pandora's box, there's no getting it closed again.

Still, there is Hope. Despite our troubles, our computer connection has demonstrated its value to us. As a result of the break-in, we're a little savvier about system security and the Internet generally. With diligence and luck, we should be able not only to ensure the integrity of our data, but also to offer solid, useful, new services to our patrons.

And that's what it's all about.

No comments:

Post a Comment